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Abstract 

Let K be an algebraic number field of degree d and discriminant A over Q. Let A be 
an associative algebra over K given by structure constants such that A = M n (K.) holds for 
some positive integer n. Suppose that d, n and |A| are bounded. Then an isomorphism 
A —> M n (K) can be constructed by a polynomial time ff-algorithm. An ff-algorithm is a 
deterministic procedure which is allowed to call oracles for factoring integers and factoring 
univariate polynomials over finite fields. 

As a consequence, we obtain a polynomial time ff-algorithm to compute ismorphisms 
of central simple algebras of bounded degree over K. 



1 Introduction 

In this paper we consider the following algorithmic problem, which we call explicit isomorphism 
problem: let IK be an algebraic number field, A an associative algebra overWL. Suppose that A is 
isomorphic to the full matrix algebra M n (K) . Construct explicitly an isomorphism A — > M n (K) . 
Or, equivalently, give an irreducible A module. 

Recall that for an algebra A over a field IK and a IK-basis a±, . . . , a m of A over IK the products 
aiQj can be expressed as linear combinations of the 



cuaj = 7ijiai + 7ij202 H h lijmflm- 

The elements 7^ G K are called structure constants. In this paper an algebra is considered to 
be given as a collection of structure constants. The usual representation of a number field IK 

Key words and phrases: Central simple algebra, splitting, splitting element, Minkowski's theorem on 
convex bodies, maximal order, real and complex embedding, lattice basis reduction, parametrization, Severi- 
Braucr surfaces, n-descent on elliptic curves. 
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over Q with the minimal polynomial / G Z[x] of an algebraic integer a G IK with IK = Q(a) 
can also be considered this way. 

For basic definitions and facts from the theory of finite dimensional associative algebras the 
reader is referred to [37] and [39]. Let A be a finite dimensional associative algebra over K, which 
is either a finite field or an algebraic number field. In [19] and [H] polynomial time algorithms 
were proposed for the computation of the radical Rad(^4), and for the computation of the 
Wedderburn decomposition (the minimal two-sided ideals) of the semisimple part .A/Rad(*4.). 
The algorithm for the Wedderburn decomposition is probabilistic (Las Vegas) in the finite case, 
the others are deterministic. Alternative methods, improvements and related results have been 
obtained in [Lj, [13], [7], p3], [IS], [UJ, [20], [23], [21], 0. A recent survey is [3]. 

To obtain a decomposition of A into minimal left ideals, one has to be able to solve the 
explicit isomorphism problem for simple algebras over K. In [H] this was shown to be possible 
in randomized polynomial time when K is finite. This method was derandomized recently in [25] 
in the case when the dimension of A over IK is bounded. In [ID] and [UJ evidence (randomized 
reduction) is presented, that over algebraic number fields the explicit isomorphism problem 
problem is at least as difficult as the task of factoring integers, a problem not known to be 
amenable to polynomial time algorithms. For simple algebras over a number field K polynomial 
time Las Vegas algorithms were given in [12] and [2] to find a number field L D IK such that 
A ®k L = M n (L) for a suitable n, together an explicit representation of the isomorphism. In 
[2] a real version was established: if IK C R, and A splits over K, then it can be achieved that 
Lcl. These results were derandomized in part in [13], and completely in [20] . 

Following [12] we recall the notion of an ff- algorithm. It is an algorithm which is allowed to 
call an oracle for two types of subproblems. These are the problem of factoring integers, and 
the problem of factoring polynomials over finite fields. We have no deterministic polynomial 
time algorithms for these problems (but the latter one admits polynomial time randomized 
algorithms) . In both cases the cost of the oracle call is the length of the input to the call. 

In [12] the problem of deciding if A = M n (K) holds for an algebra A over a number field 
IK was shown to be in NP fl coNP. The proof relies on properties of maximal orders A < A 
for central simple algebras A over K. Maximal orders are in many ways analogous to the full 
ring of algebraic integers in K. The principal result of J2Sj is a polynomial time ff-algorithm to 
construct maximal orders in simple algebras over Q. A very similar algorithm is presented in 
|35j . In [17] a more direct method is given for quaternion algebras. 

Several of the algorithms mentioned here have implementations in the computer algebra 
system Magma, see for example [33] . 

We mention also a somewhat surprising application of the algorithms for orders: they have 
been applied in the construction and analysis of high performance space time block codes for 
wireless communication, see [22], [IS]- In fact, in addition to an application of the algorithm of 
|26j . in [22] an improvement is suggested for the orders relevant there. 

The main result of this paper is a polynomial time ff-algorithm for the case when A is a 
central simple algebra of bounded dimension over a small extension field K of Q. This was 
known before only in the smallest nontrivial case dim<Q„4. = 4, see [2Z] and the more recent 
papers [TT] . |46j . [47] . More precisely we have the following. 

Theorem 1. Let K be an algebraic number field of degree d and discriminant A over Q. Let 
A be an associative algebra over IK given by structure constants such that A = M n (IK) holds 
for some positive integer n. Suppose that d, n and |A| are bounded. Then an isomorphism 
A —> M n (K) can be constructed by a polynomial time ff-algorithm. 
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We remark, that the algorithm of Theorem [T] gives an explicit isomorphism even if we do not 
assume that log | A|, n, and d are bounded. However, the running time then may be exponential 
in these parameters. This holds also for the algorithmic applications given in the last section 
of the paper. 

In addition to computational representation theory where the problem naturally originates 
from, the explicit isomorphism problem arises also in connection with computational problems 
of arithmetic geometry: in a series of seminal papers [5], [3]> and [TU] the n-Selmer group of 
an elliptic curve E over a number field IK is studied. A method is developed to represent the 
elements of the Selmer group as genus one normal curves of degree n. One of the key ingredients 
of their method is to solve the explicit isomorphism problem for M n (K). In [10] an algorithm 
is outlined for the explicit isomorphism problem over K = Q, and is detailed for the cases 
n = 3,5. Our approach is based on similar ideas. 

An algorithm for explicit isomorphisms is useful also for computing parametrizations in 
algebraic geometry: [IT] considers parametrizations of conies, and [21] gives algorithms for 
rational parametrization of Severi-Brauer surfaces. In fact, in [2T] an algorithm is given which 
solves the explicit isomorphism problem when A = M^(Q). This, however, uses a procedure for 
solving norm equations whose complexity was not clear so far. For example it was not known 
if they can be solved in ff-polynomial time. The case A = M^Q) is treated similarly in [38] . 

The organization of the paper is as follows. First, in Section 2 we prove Theorem [1] in 
the simpler case K = Q. This combines the approach of Fisher [18] (that is used in [10] as 
well), which considers a real embedding of A, with an application of Minkowski's theorem on 
convex bodies, and with approximate lattice basis reduction. In the next section the argument 
is extended to number fields. An important role is played here by the traditional map in 
algebraic number theory which maps IK into M. d , see Section 13, Chapter I. in [29]. 

In the last section two applications are presented. One of these is a polynomial time ff- 
algorithm to compute ismorphisms of central simple algebras of bounded degree over K. 

Acknowledgement. We are grateful to Geza Kos and Sandor Z. Kiss for discussions on the 
subject. We thank Jacques- Arthur Weil for calling our attention to [T8j . 

2 Full matrix algebras over Q 

Here we consider the case IK = Q of Theorem [U We prove first a statement on the existence of 
small and highly singular elements in maximal orders. 

Theorem 2. Let A be a Q-subalgebra of M n (M.) isomorphic to M n (Q) and let A be a maximal 
Jj-order in A. Then there exists an element C G A which has rank 1 as a matrix, and whose 
Frobenius norm ||C|| is less than n. 

Remark 3. When we apply the above theorem, the Frobenius norm || • || will be inherited from 
M n (M), with respect to an arbitrary embedding of A into M n (R). Recall that for a matrix 
X G M n (R) we have ||A|| = y/Tr(X T X). 

Proof. The isomorphism A = M n (Q) extends to an automorphism of M n {R). Therefore, by the 
Noether-Skolem Theorem, there exists a matrix P G M n (R) such that A = PM n (Q)P _1 . Let A' 
denote the standard maximal order M n (Z) in M n (Q). The theory of maximal orders in central 
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simple algebras over Q implies that there exists an invertible rational matrix P' £ M n (Q) 
such that it gives us P^AP from A': P~ l kP = P'A'P'' 1 , whence A = PP'A'P'^p- 1 . Set 
Q = PP'/ddetPdetP'l) 1 /". Clearly Q £ M n (R) , detQ is ±1 and 

A = QA'Q- 1 . 

Let p denote the left ideal of A' consisting of all integer matrices which have everywhere 
except in the first column. Clearly p is a lattice of determinant 1 in the linear space S of 
all real matrices having nonzeros only in the first column. Now the lattice L = Qp will be a 
sublattice of S, with determinant 1 (see Subsection 2.2 from [M] for basic facts on lattices in 
real Euclidean spaces). 

We can apply Minkowski's theorem on lattice points in convex bodies to L in S, and to the 
ball of radius y/n in S centered at the zero matrix (we refer here to the Euclidean distance, 
that is, the Frobenius norm on M n (R)). The volume (calculated in S) of the ball is more than 
2 n , as it contains 2 n internally disjoint copies of the n-dimensional unit cube, and more. We 
infer that there exists an element B £ p such that QB is a nonzero matrix whose length is less 
than y/n. Clearly B and hence QB is a rank 1 matrix. 

Next consider the "transpose" of this argument with Q~ x in the place of Q: there exists a 
nonzero integer matrix B', which is zero everywhere except in the first row, such that B'Q~ X 
is nonzero, and has Euclidean length less than y/n. 

Now 

C = QBB'Q- 1 

meets the requirements of the statement. Indeed, it is in A because BB' £ M„(Z). It has 
length less than n because the Frobenius norm is submultiplicative: 

||C|| = \\{QB){B'Q^)\\ < \\QB\\ ■ \\B'Q- l \\ < (v^) 2 = n. 

Obviously, C has rank at most 1, as B and B' are of rank 1. Finally, from the shape of B and 
B' we see, that BB' ^ 0, hence rankPP' = rankC = 1. This finishes the proof. □ 



Remark. Essentially the above reasoning shows the existence of a rank one C £ A such that 
||C|| < In, where 7„ is Hermite's constant (see Chapter IX, [5]). This bound is achieved if we 
select B and B' whose norm is at most most This gives a better bound for large values 

of n. 

The following two lemmas point out that elements X form an order A C M n (Q) with ||X|| 
small are necessarily zero divisors. 

Lemma 4. Let X £ M n (C) be a matrix such that detX is an integer, and ||X|| < \Jn. Then 
X is a singular matrix. 

Proof. The argument is essentially from [18J. Let X = QR be the QR decomposition of X, 
with Q unitary and R an upper triangular matrix whose diagonal entries are r±, r 2 , . . . , r n . We 
have 

| detX| 2 /" = (N 2 |r 2 | 2 ■ • • Kl 2 ) 1 /™ < Iflnl 2 + |r 2 | 2 + ■ • • |r n | 2 ) < -||P|| 2 = -||X|| 2 < 1. 

n n n 

Here we used the fact that ||X|| = y^Tr(X*X) = y^Tr(R*R) because Q*Q = I. We conclude 
thatdetX = 0. □ 
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The next statement has a similar flavour. It was pointed out to us by our colleague Geza 
Kos. 



Lemma 5. Let X £ M n (Q) be a matrix whose characteristic polynomial has integral coeffi- 
cients, and \\X\\ < 1. Then X is a nilpotent matrix. 

Proof. The eigenvalues of X are algebraic integers, hence the eigenvalues of X 1 are algebraic 
integers as well, for any positive integer t. We infer that the characteristic polynomial of X 1 
has integral coefficients. Also, the norm condition implies that X 1 tends to the zero matrix O 
as t — > oo, hence X 1 = O for a sufficiently large t. □ 

The following argument is from H. W. Lenstra, see p. 546 in [32] • Informally, it states that 
the coefficients with respect to a reduced basis of a vector v with small length |v| from a lattice 
T are relatively small. 

Lemma 6. Let T be a full lattice in M. m . Suppose that we have a basis b 1; . . . , b m ofT over Z 
such that 

|bi| • |b 2 | • • • |b m | < Cm ■ det(T) (1) 

holds for a real number c m > 0. Suppose that 

m 

v = ^7ibi£r, 74 £ Z. 

i=i 

Then we have \ jA < c m J^\ for i = 1, . . . , m. 

I ®i I 

Proof. From Cramer's rule we obtain 

| det(bi,b 2 , • • . ,bj_i, v, b i+ i, . . . ,b m )| |bi| • • ■ |b;_i| ■ |v| ■ |b m | . . . |b m | 
T*l = TT7n\ ^ 



det(r) det(r) 

|v| |bi| ■ ■ ■ [bj-i| ■ [bjj • \bj+i\ ■ ■ ■ \b m \ Jv[ det(r) _ Jv| 
bil' det(r) " \bi\ ' Cm ' det(r) ~ Cm ' \bi 



□ 



We remark that the LLL algorithm gives a basis with c m = 2 m ( m ~ 1 )/ 4 in formula ((Tj), see 
j. We shall have a lattice of vectors with nonrational coordinates, and thus invoke the 
approximate version of the LLL algorithm developed by Buchmann, see Corollary 4 of [1] . This 
will provide a reduced basis with 

m ( 3 \ m(m— 1) , . 

Cm ■= (7J T U) (2) 

Here 7 m is Hermite's constant. It is known that 7 m < m for all integers m > 1, and — < 
— + o(l) for m large. 

We can describe now the algorithm of Theorem [1] for the case K = Q. Suppose that, as 
input, we have an algebra A over Q, given to us by structure constants. Suppose also that 
A is isomorphic to the full matrix algebra M n (Q). Our objective is to give this isomorphism 
explicitly. More specifically the algorithm outputs an element C £ A which has rank 1 in 
M n (Q). Then the left action of A on AC provides an A — > M n (Q) isomorphism. The major 
steps of the algorithm are the following. 
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1. Use the Ivanyos-Ronyai algorithm [26J to construct a maximal order A in A. This is a 
polynomial time ff-algorithm0. 

2. Compute an embedding of A into M n (R). One uses here the the deterministic polynomial 
time algorithm obtained via the derandomization by de Graaf and Ivanyos [20] of the Las 
Vegas algorithm of Eberly [H] . This way we have a Frobenius norm on A. For X E Awe 
can set \\X\\ = y/Tr{X T X). Also, via this embedding A can be viewed as a full lattice 
in R m , where m = n 2 . The length |v| of a lattice vector v is just the Frobenius norm of 

matrix. 

3. Compute a rational approximation A of our basis B of A with precision qo(B, ^,2 m ^ 1 ) 
(see Section 2 in [1] for the definition of the precision parameter q Q ). One can use here 
the Algorithm of Sch6nhage3 |44j . 

4. Compute a reduced basis bi, . . . , b m of the lattice A C M. m by applying the LLL algorithm 
to A. For c m we have the value from (J2}. 

5. If some of the basis elements bj is a zero divisor in A, then there are two cases. If 
rankbj = 1, then we are done and stop with the output C := b^. Otherwise, if 1 < 
rankbj < n, then we compute the the right identity element e of the left ideal Ahi by 
solving the straightforward system of linear equations, set A := eAe and go back to Step 
1. 

6. At this point we know that |bj| > \fn holds for every i. Generate all integral linear 
combinations C = where the ji are integers, < c m -^ < c my /n until a C 
is found with rankC = 1. Output this C. 



Proof of theorem^ for K = Q. As for the correctness of the algorithm, let b l5 . . . , b m the basis 
of A obtained at Step 4 with ||bi|| < • • • < ||b m ||. Then by Corollary 4 from [3] we have 

3 i 

||bj|| < - ■ 2 2 Aj for % = 1, . . . , m, 
where Aj is the i-th successive minimum of A. From this we infer 

( 3 \ m(m— 1) ., , "i / 3\ m(m— 1) 

||bi||||b 2 ||..-||b ro || < f-J 2^— A 1 ---A m < ( 7m )~ U) 2 ~^~ det(A) ' 

as claimed. At the last inequality we used Minkowski's inequality on successive minima (see 
Chapter VIII in 0). 

We remark also that, if at Step 5 we have rank e = k, then it is easy to see that eAe = Mfc(Q). 
Moreover, a rank one element of eAe will have rank one in A as well. At Step 6 the bj are 
nonsingular matrices, hence ||bj|| > \fn holds by Lemma HI Finally, Theorem |2] and Lemma [6] 
(this is applied for v := C and |v| < n) show that an element C with rank one exists among 
the linear combinations enumerated. 

1 It performs well if the integers to be factored are not very big. The method has been implemented in 
Magma by de Graaf. 

2 For a more recent method see [36] . 
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Considering the timing of the algorithm, Step 1 runs in polynomial time as an ff-algorithm. 
Steps 2, 4 and 5 can be done in deterministic polynomial time. At Step 3 the precision paramater 
go is polynomial in the input size, hence Schonhage's approximation algorithm (see also Section 
3 of [30]) runs in polynomial time. 

The number of jumps back to Step 1 is also bounded, hence each Step is carried out in a 
bounded number of times. Finally, the number of elements C enumerated at Step 6 is at most 
(2c m \/n + l) m , this is also bounded by our assumption. □ 

Remarks. 1. In Step 4 of the preceding algorithm one may also consider the idempotent 
f = I — e, where I is the identity element of A. If rank/ = 1, then we can stop with C := /. 
Otherwise, if rank/ < ranke, then we may work with fAf instead of eAe. 
2. We could avoid jumps back to Step 1 if we had a good lower bound on the quantities ||b, ||. 
Unfortunately, we do not have such a bound in general. The difficulty here may come from 
the fact, that the closure of the similarity-orbit of nilpotent matrices contains the zero matrix. 
This is illustrated by the matrices 

x=(i ?y e <° 1 



\ ) ' V 



We have XEX~ l = t 2 E, hence HXi^A -1 !! gets arbitrarily small as t — > 0. 
3. We could have used Lemma |5] instead of Lemma HI In this case we test in Step 4 if there is 
a nilpotent element among the bj. Also, then in Step 5 we have to enumerate integral linear 
combinations YliLi with \^\ < c m ■ n. 



3 The general case 

Let K be a number field of degree d over Q, the maximal order of K is denoted by R and the 
positive discriminant of R is A. Let A be a central simple algebra over IK such that A = M n (K), 
and let A be a maximal order in A. 

It is known (see Reiner [39], Corollary 27.6) that there is an isomorphism ip : A — > M n (K) 
such that the image of A is 

R J-'\ 

R J- 1 ' 
J R ) 

where J is a fractional ideal of R in IK. (The notation with a matrix having sets as entries refers 
to all matrices (xij)fj =1 whose elements belong to the designated sets, for example, X\\ G R, 
x n i G J , etc.) Let <j\, . . . , <r r be the embeddings of IK into M and ex r _|_i , c r +i> • • • > OY+s; °Y+s 

be 

the non-real embeddings of IK into C; here we have d — r + 2s. 

For each 1 < % < r + s let us consider an embedding 0j of A into M n (C), which extends 
(Tj (for i < r we require <f>i(A) < M n (M)). We remark that such embeddings can actually be 
computed efficiently by the methods of [H] and [20]. For x G A the matrices 4>i(x) are in 
M n (C), hence we may speak about the absolute value of their entries. Set 

»-((if A -) 4 -e) v 



A := ^(A) 



(R ••• 
R ■■■ 
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Theorem 7. There exists a rank one element x G A such that the entries of the matrices <pi{x) 
for i = 1, . . . , s + r all have absolute value at most b. 

Proof. Let ipi : A — > M n (C) be the composition of ip with the natural extension of <7; to M n (C). 
These maps are shown at the diagram below. The vertical map is the extension of <7j from K 
to M n (K). The triangle is commutative. 

M n (C) A ^ M n (K) 

M n (C) 

Then the C-linear extensions of the composite maps (piijj- 1 from if>i(A) to M n (C) are C- 
algebra automorphisms of M n (C) (whose restrictions, for % = l,...,r, to the real matrices 
are automorphisms of M n (M)). As these automorphisms must be inner, there exist matri- 
ces A±, . . . ,A r G GL n (R) with determinant ±1 and A r+ i, . . . , A r+S G SL n (C) such that for 
i = l,...,r + swe have 





(°i{R) ■ 


■ ■ o~i(R) 




4 (A) = A- J A% = A" 1 










■■o-i(R) 








■■CTi(J) 


CTi(R) J 



Put A' { := (A~ 1 ) T . We show that there exist nonzero vectors u G (R,...,R,J) C K n and 
v G (-R, . . . , R, J -1 ) C K n such that for every index i — 1, . . . , r, all the coordinates of <Tj(u) 
and <7j(v)Aj are of "small" absolute values. Then all the entries of the matrix 0j?/; _1 (u T v) will 
be small, demonstrating that there exist a rank one element of A, namely ip~ 1 (u T v), which is 
small in all the embeddings <f>{. 

To this end, we consider the set M. of row vectors of length nd of the form 

(<7i(u), . . .,ff P (u),ff P+ i(u),a£jT(u), • • . ,(T r+s (u),ov^(u)), (3) 

where u G (R, . . . , R, J). Ai is a lattice in the linear space C dn whose rank is nd because of 
the linear independence of field automorphisms, see Theorem 1.3 in [28]. The determinant of 
lattice M. is 

A n / 2 A^(J), 

where N(J) is the norm of the fractional ideal J (see Proposition 13.4, Chapter I. in [29]). Next 
we consider the set M! of vectors of the form 

(tri(u)Ai, . . . ,a r (u)A' r ,a r+1 (u)A' r+v a^(u)A' r+1 , . . . , a r+s (u)A' r+v W^;(u)A' r+s ). 

This set is obtained by multiplying vectors from M. by the block diagonal matrix 

diag (A 1 , . . . , A r , A r+1 , A' r+1 , . . . , A r+1 , A' r+S ^j . 

Here each block has determinant ±1, therefore the determinant of M! remains A n / 2 A r (J). 
Finally we apply the block diagonal matrix 

**('.-.'.(£ f/)--(t I/))' 
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where / stands for the n by n identity matrix, and we have r blocks of /. The determinant of 
this matrix is (L/2) ns . From Ai' we obtain the lattice L of rank nd in M. nd C C nd consisting of 
the vectors 

(ai(u)Ai, . . . , a r (u)A' r , $t(a r+1 (u)A' r+1 ), %(a r+1 (u)A' r+1 ), . . . , ^(a r+s (u)A' r+1 ), %(a r+s (u)A' r+1 ), 

(4) 

where u runs over (R, . . . , R, J) C K n . The determinant of £ is 2 sn A n ^ 2 N(J). We apply now 
Minkowski's theorem on convex bodies to the lattice C and to the product of rn one- dimensional 
balls and sn two-dimensional balls of radius 

r(J)= {il) Sn N{J)An/2 ) nd - 
This is a closed convex centrally symmetric (with respect to the origin) body of volume 

(2r(J)r {-r{J)T • 

This volume is 2 nd det C The theorem tells us that there exists a nonzero u G (R, . . . ,R,J) 
such that for every 1 < % < r + s, all the coordinates of <jj(u)A- have absolute value at most 
r(J). 

Similarly, there exists a nonzero vector v G (i?, . . . ,R, J x ) such that for every 1 < i < r + s, 
all the coordinates of <Tj(v)v4j have absolute value at most r(J~ 1 ) where 

r(J~ 1 )= ((^\ n NiJ^A^Y* . 

Then x = ■?/;~ 1 (u T v) is a rank one element of A such that for every i, all the entries of the 
matrix 4>i(x) have absolute value at most 

KJ )r( J -)=((|)'"A-)"'=(|)*Ai=6. 

□ 

We point out two interesting consequences: 

1. If K = Q, R — Z, then A = 1, s = 0, hence 6=1. We have an element a; of our maximal 
order A which has rank 1 as a matrix from M„(Q), and with respect to our selected embedding 
of A into M„(M) has elements of absolute value at most 1. This is essentially Theorem [21 

2. If D is a positive squarefree integer, K = Q(v^D), then A = D, if D is congruent to 1 
modulo 4, and A = 4.D, if D is congruent to 3 modulo 4. Then s = 0, d = 2, hence b < 2y/~D. 

To our algorithm we shall need a more general variant of Lemma HI 

Lemma 8. Let y G A be an element such that \\(f>i(y)\\ < y/n holds for i — 1, . . . , r + s. Then 
y is a zero divisor in A. 

Proof. As in Lemma S] we obtain that 

| det <f>i(y) | < 1 for % — 1, . . . , r + s. (5) 
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Note that det 4>i(y) = o~i(n(y)), where n(y) is the reduced norm of y (see Section 9 in [39]). 
Inequality <^ implies that 

\(Ji(n{y)) ■ ■ ■ a r (n(y))a r+1 (n(y))a r+ i(n(y)) ■ ■ ■ a r+s (n(y))a r+s (n(y))\ < 1. 

Moreover, by Theorem 10.1 from [39J n(y) G R, therefore the number on the left is a rational 
integer, giving that det <pi(y) = for at least one (and hence for all) i. This implies that y is a 
zero divisor in A. □ 

To be able to use lattice basis reduction techniques, we use a transformation which turns a 
maximal order in A into a full lattice in a suitable real linear space. To this end for y G A we 
form the vectors 

<%) := (My), ■ ■ ■ , My), ^(Mi(y)), %(Mi(y)), • • • , ^(Ms(y)), %(Ms(y)))- 

As with ([3]) and (jlj), we infer that T := $(A) is a full lattice in the real linear space in IR m , with 
m = n 2 d. 

We give now the algorithm of Theorem [T] for the general case: as input, we have an algebra 
A over IK, given to us by structure constants. Suppose further, that A = M n (K). Our algorithm 
outputs an element i6i which has rank 1 in M„(K). 



1. Use the Ivanyos-Ronyai algorithm (26] to construct a maximal order A in A. 

2. Compute the embeddings 0, of A into M n (C) for i — 1, . . . , r + s (they are embeddings 
into M n (M) for i < r) by the deterministic variant [2D] of Eberly's algorithm 



3. Form a basis of the full rank lattice T C M m with m = n 2 d Note that for the Euclidean 
length in T we have 



r+s 



my)\ 2 = i: 



4. Compute a reduced basis b 1; . . . , b m of the lattice T C M m by using Buchmann's approx- 
imate version the LLL algorithm to achieve the value in ([2]) for the reducedness factor 

Cm- 

5. If an element y = $ _1 (bj) is a zero divisor in A, then there are two cases. If ranky = 1, 
then we are done and stop with the output x := y. Otherwise, if 1 < rank?/ < n, then we 
compute the the right identity element e of the left ideal Ay, set A := eAe and go back 
to Step 1. 

6. At this point we know that |bj| > ^fn holds for every i. Generate all linear combinations 
w = YliLili^i, where the ji are rational integers with 

2 s 



bnyfr + s . /—. r / 2 \ d l /—. r 

< c m rg-j < c m b^n(r + s) = c m 1-1 Ad^n{r + s) 

until a w is found such that ranks = 1 holds for the x G A with $(x) = w. Output this 
x. 
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Proof of Theorem [7J The proof is essentially the same as in the simpler case K = Q. At Step 6 
$ _1 (bj) is necessarily a nonsingular element of A for i — 1, . . . , r + s. By Lemma [S] there must 
be a j such that ||0j($ _1 (bj))|| > y/n, giving that |bj| > y/n. Theorem [7] and Lemma El the 
latter is applied with |v| < bn\Jr + s, show that an element w with rank$ _1 (w) = 1 exists 
among the linear combinations enumerated. 

Here also each Step is carried out in a bounded number of times. The number of elements 
w enumerated at Step 6 is at most (2c m byJ n(r + s) + l) m . This is also bounded by our 
assumptions. □ 



4 Two consequences 

From the elementary theory of the Brauer group (see for example Section 12.5 from [37]) we 
know that for two central simple algebras A and B of the same dimension n 2 over a field K we 
have A = B if and only if 

A® K B op M n2 (K). (6) 

We outline next that, over an infinite K, how one can efficiently recover from an isomorphism 
flU]) an isomorphism a : A — > B. 

Having isomorphism ([6]) explicitly implies that we have in our hands a left A®kB° p - module 
V of dimension n 2 over IK. Then V, as a left .A-module, is isomorphic to the regular left A- 
module because they have the same dimension over K. There exists an element v G V such 
that the map <p v : a \— > av is a left ^4-module isomorphism from A to V. The elements v of V 
which do not generate V as a left ^.-module are zeros of a certain polynomial on V of degree n 2 
(the determinant of the linear map a i— > av). Similarly, the elements v of V for which the map 
ip v :&i—>- vb is not a right £> op -module isomorphism between B op and V are zeros of a polynomial 
on V of degree n 2 . Therefore, by the Schwartz-Zippel Lemma there exists an element v G V 
for which the maps <p v and tp v are simultaneously left and right isomorphisms, respectively. 
The methods of [2] or [6] for finding large cyclic submodules can be used to obtain first a 
left ^4-module generator V and then essentially the same method can be applied to gradually 
transform v to a generator of V as a right £> op -module while preserving the property that v is a 
left ^4-module generator for V. For example, the the method of Lemma 8 from [B] can be used 
here. We recall the statement of the lemma for the reader's convenience. 

Lemma 9. Let V be an r- dimensional module over the semisimple WL-algebra A and v\, . . . , v r 
be a WL-basis of V . Assume that v e V is an element of non-maximal rank. Let Q be a subset 
of K* consisting of at least rk v + 1 elements. Then there exists a scalar uj G f2 and a basis 
element u G {v\, . . . , v r } such that rk(v + uu) > ikv. (Here the rank ikv of v is defined as the 
dimension of the A-submodule ofV generated by v.) 

We claim that if v G V is an element such that <p v and ip v are simultaneously isomorphisms 
of the respective modules, then a = ip~ 1 <p v is an algebra isomorphism between A and B. It is 
obvious that a is a K-linear isomorphism between A and B. Note that for a G A, era is the 
unique element b G B with the property av = vb. Therefore a (0,10,2) is the unique element of B 
with a^a-iV = vb. But aia 2 v = aiv(aa 2 ) = v(aai)(aa 2 ), whence a(aia 2 ) = (aai)(aa 2 ). 

Combining this argument with the algorithm of Theorem [T] for constructing a suitable 
module V, we obtain the following: 
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Corollary 10. Let JC be an algebraic number field of degree d and discriminant A over Q. Let 
A, B be central simple algebras over K of the same dimension n 2 given by structure constants. 
Suppose that d, n and |A| are bounded. If A and B are isomorphic, then an isomorphism 
A — >■ B can be constructed by a polynomial time ff- algorithm. 

The next statement is quite modest. It formulates a very plausible claim, but, to the best 
of our knowledge, it was not proven before. 

Corollary 11. LetK. be an algebraic number field and A be an associative algebra overK. given 
by structure constants such that A = M n (K) holds for some integer n > 1. Then there exists 
a zero divisor x G A which admits polynomially bounded coordinates with respect to the input 
basis of A. Moreover, such a zero divisor x can be obtained by a polynomial space bounded 
computation. 

Proof. A slight modification of the algorithm of Therorem [T] will provide a reasonably small 
zero divisor: at Step 5 we stop if y is a zero divisor. Note that y has polynomial size as Steps 
1-5 constitute a polynomial time ff-alghorithm. If no zero divisor is found at Step 5, then 
we proceed directly to Step 6. The integral linear combinations considered there have size 
polynomial in the input length, and their enumeration can be carried out using polynomial 
space only. □ 

Remark. A more direct, but perhaps algorithmically less efficient proof of Corollary [TTJ is 
possible. Let c l7 . . . , c n 2 be the basis of A given by the Ivanyos Ronyai algorithm. Express the 
element x of Theorem [7] in this basis: 

x = a\Ci + a 2 c 2 + • ■ ■ + a n 2C n 2, 

with cti G Z. Using that ||x|| < bn, and that the vectors c, have polynomial size, Cramer's rule 
implies a polynomial bound on the size of the coefficients a.{. 

By the well known connection between split cyclic algebras and relative norm equations (see 
Theorem 30.4 in Reiner [3H]), our results imply that for a number field K and a cyclic extension 
L of K if a norm equation Al/k(x) = a is solvable, then there is a solution whose standard 
representation has polynomial size (in terms of the size of the standard representation of a and 
a basis of L). Furthermore, for fixed IK and fixed degree |L : K|, a solution can be found by a 
polynomial time ff-algorithm. 

We have given here a polynomial time ff-algorithm for the explicit isomorphism problem for 
central simple algebras A of fixed dimension over a fixed number field K. Potential directions 
to extend this result may be allowing the dimension of the algebra over K to grow or allowing K 
to vary (even if its degree over Q remains fixed), or both. Existence of ff-algorithms for finding 
an explict isomorphism of a non-split central simple algebra with the algebra of matrices over a 
skewfield is also left open (even in the case of fixed base field, or fixed dimension). It would be 
interesting also to develop practical variants and programs for the algorithms presented here. 
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